Zero trust and microsegmentation expose identity control gaps

At a glance

What this is: This explainer contrasts zero trust and microsegmentation and shows that they are complementary, but not interchangeable, security controls.

Why it matters: It matters because IAM, NHI, and human access programmes often fail when trust decisions, segmentation, and authentication are treated as the same control layer.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Axiad's explainer on zero trust and microsegmentation

Context

Zero trust is an access model that assumes no implicit trust, while microsegmentation is a containment technique that limits how far an attacker can move if they get in. The core identity security question is whether access decisions, policy enforcement, and network boundaries are being applied to the same assets and identities.

For IAM and NHI programmes, the distinction matters because authentication does not equal containment, and segmentation does not fix over-privileged credentials. Human access, workload identity, service accounts, and other NHIs all need different control points even when they sit inside the same zero-trust programme.

Key questions

Q: How should security teams combine zero trust and microsegmentation in practice?

A: Treat zero trust as the policy for deciding who or what can access a resource, and microsegmentation as the containment layer that limits movement after access is granted. Teams get the best result when both controls are designed together, tested against real identities, and measured by how much lateral movement they prevent, not by login success alone.

Q: Why do NHIs complicate zero-trust programmes?

A: NHIs complicate zero-trust programmes because their access often spans systems, APIs, and workloads that are not visible in the same way as human accounts. If those identities carry standing privilege, zero trust can approve entry while still leaving too much reach inside the environment. Governance must cover both admission and internal scope.

Q: What breaks when microsegmentation is used without strong IAM controls?

A: Microsegmentation alone cannot fix over-privileged identities, weak credential hygiene, or missing offboarding. It may slow lateral movement, but if the identity is already broadly authorised, the attacker still has legitimate paths to sensitive systems. The result is contained compromise, not prevented compromise.

Q: How do teams know whether zero trust and segmentation are actually working?

A: Look for reduced internal reach, fewer implicit trust paths, and tighter access to sensitive services after authentication. If a compromised identity can still move freely between critical systems, the controls are not aligned. A good test is whether the identity’s practical blast radius is smaller than its authenticated access footprint.

Technical breakdown

Zero trust and identity verification

Zero trust is a policy model, not a single product or perimeter. It requires explicit authentication, authorisation, and continuous verification before access is granted, then limits what the subject can do once inside. In identity terms, the control objective is to reduce implicit trust in users, devices, workloads, and service accounts. That makes zero trust a governance layer: it decides who or what should be allowed to reach a resource, under what conditions, and with what ongoing validation. Without that discipline, access tends to accumulate faster than risk is reduced.

Practical implication: map zero-trust policy to specific identity types and entitlement boundaries instead of treating it as a network-only programme.

Microsegmentation and lateral movement control

Microsegmentation breaks a network into smaller zones with separate enforcement points. Its purpose is to contain compromise by making lateral movement harder and reducing blast radius after an attacker gains foothold. Unlike broader network segmentation, microsegmentation is usually enforced with security policy at workload, application, or host level, so the controls are closer to the data and services being protected. It does not answer who should authenticate, but it does determine what an identity can reach once trust has been granted.

Practical implication: design segment boundaries around business services and sensitive identities, not just around network topology.

Why zero trust and microsegmentation are complementary

Zero trust governs admission and ongoing trust decisions. Microsegmentation governs what happens after admission. Used together, they reduce both initial access risk and post-compromise spread, but they fail when teams treat them as substitutes. A system can be strongly segmented and still expose excessive privilege, or it can enforce zero-trust login checks while leaving east-west movement wide open. The identity lesson is that control must exist at both the authorisation edge and the internal movement layer.

Practical implication: align authentication, authorisation, and internal containment controls so one layer does not assume the other will compensate.

NHI Mgmt Group analysis

Zero trust fails when teams mistake admission control for full identity governance. The article reinforces a common structural weakness: verifying a user or device at the edge does not mean the identity is safe everywhere else. In practice, over-privileged service accounts, workload identities, and human users can still move too far once admitted. The practitioner conclusion is that zero trust only works as part of a broader identity control model.

Microsegmentation is a blast-radius control, not an identity control. It can reduce lateral movement, but it cannot correct weak entitlements, poor lifecycle management, or missing offboarding. That makes it necessary in mature environments, but insufficient on its own. The practitioner conclusion is that segmentation should be measured against identity exposure, not only network containment.

Zero trust and microsegmentation become most valuable when identity sprawl is already visible. The more service accounts, API keys, and machine credentials an organisation has, the more important it is to separate trust decisions from containment decisions. This is where the governance burden shifts from perimeter thinking to identity scope management. The practitioner conclusion is to treat both controls as part of one access architecture.

Identity blast radius is the right concept for this topic. Zero trust limits who gets in, while microsegmentation limits where that identity can go. Together they define the maximum damage an over-privileged or compromised identity can cause. The practitioner conclusion is that access policy should be judged by blast-radius reduction, not by login success alone.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why zero trust often fails at the identity layer before it fails at the network layer.
• That visibility gap is explored further in 52 NHI Breaches Analysis, which shows how weak identity governance turns containment gaps into incidents.

What this signals

Identity blast radius: the real programme risk is not whether zero trust exists, but whether the organisation can prove that each identity is confined to a bounded set of systems. Where service accounts are invisible or over-privileged, segmentation becomes a partial control rather than a governance outcome.

NHI programmes should expect more pressure to evidence internal containment, not just authentication policy, because zero trust is increasingly being judged by what happens after the login event. The practical signal is whether access reviews, segmentation maps, and privileged access records tell the same story.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, teams cannot rely on network architecture alone. The next programme step is to connect identity inventory, entitlement review, and segment design in a single control view.

For practitioners

• Separate admission from containment Define zero-trust policy as the control that decides whether an identity may authenticate and what it may request, then define microsegmentation as the control that limits east-west movement after access is granted. Document both layers in the same architecture review so gaps do not get hidden between teams.
• Map segments to identity classes Group users, service accounts, workload identities, and administrative paths into distinct enforcement zones. Use the service boundaries that matter to the business, then verify that privileged identities cannot cross those boundaries without an explicit policy reason.
• Measure blast radius, not just access success Test whether a compromised account can reach adjacent systems, sensitive data stores, or admin planes. A control stack is not mature if it authenticates well but still allows broad lateral movement after compromise.
• Review NHI and human access together Run access reviews on service accounts, API keys, and human accounts in the same governance cycle so segmentation assumptions and entitlement assumptions stay aligned. This is especially important where workloads and humans share the same network paths.

Key takeaways

• Zero trust and microsegmentation solve different parts of the same problem: admission risk and movement risk.
• The main failure mode is assuming that authentication controls and containment controls are interchangeable.
• Practitioners should judge these controls by how much they shrink identity blast radius across human and non-human access paths.

Key terms

• Zero trust: A security model that removes implicit trust from access decisions and requires verification before granting access. In identity governance, it means evaluating each request on context, identity, and policy instead of assuming the network location or account type is inherently safe.
• Microsegmentation: A containment technique that divides environments into smaller security zones with separate enforcement. It limits how far a user, workload, or attacker can move after access is granted, which makes it a blast-radius control rather than an authentication control.
• Lateral movement: The process by which an attacker or compromised identity moves from one system to another inside an environment. It is a key indicator of containment failure because it shows that access controls allowed the identity to reach more than its intended scope.
• Blast radius: The amount of damage an identity or compromise can cause before it is contained. In practice, blast radius reflects both privilege scope and segmentation quality, so it is one of the clearest ways to judge whether access architecture is working.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Axiad: Zero Trust and Microsegmentation: An Explainer. Read the original.